Best way to set up subnet (best practices)

[JCBiggs]

Finally got my fiber node installed and im you by to be starting up a. New server build in conjunction with some workstations i have to get going.  

 

I have two severs that will be public.  (a dns server,  and  a web site server)   two separate machines.  What's the best way to isolate these units from the rest of the home network and file server? 

 

Should i have a second switch/ hardware firewall behind the main switch and in front on my private devices,  or is that pointless?  I have forwarded all port 53 dns traffic to the dns server but what about other traffic to that server?   Should i block everything except the ports that allow updating of ubuntu and  bind? 

 

 

[Falconevo]

If you want some solid advice, don't run a DNS server open to the public if it gets exploited or abused it will be used for reflection attacks and you could end up in a really bad situation.  Avoid hosting your own public DNS services were possible,

What is the reason for a public DNS server, its very rare people need them.

 

You will need a firewall that is capable of splitting out the servers in to different zones which an IP range allocated to each of those zones, ideally on separate VLANs if your switch is a smart or managed switch.  Firewall ACL's will be required between zones should you need any inter-communication between servers on specific ports and any private range(s).

 

[JCBiggs]

I need the dns server.. for my own purposes.  Im aware of the exploit possibilities and have addressed them. 

 

The only inter-communication I need is that my devices will all be configured to use my personal dns server, and a port for ssh.  should be simple enough.  any recommendations on a good managed switch?  (been years since I bought one)

 

btw. all my home gear is 10gb  

[Falconevo]

No disrespect intended but if you are asking questions about firewall zones and subnet's you won't be aware of the exploit possibilities of hosting your own public DNS server.  I'm not here to stop you doing what you are doing, just advising you as best I can regarding security.

 

With relation to your home equipment being 10Gbit, are you referring to 10Gbe using Cat 6+ cabling or 10GBASE-X using SFP+?  Wouldn't be able to recommend anything without knowing that first.

 

 

[JCBiggs]

I disagree with your first comment and I will leave it at that.  

 

all but one of my servers use an  aggregated cat 6a link currently.  the file server has a sfp+ port.  

[leadeater]

I would put these servers in their own private subnet and put them behind a decent firewall like Sophos. Don't give your servers a routable internet IPv4 address unless there is a very good reason to.

[Falconevo]

18 hours ago, JCBiggs said:

I disagree with your first comment and I will leave it at that.  

 

all but one of my servers use an  aggregated cat 6a link currently.  the file server has a sfp+ port.  

I meant no disrespect, reading it back it is a little harsh but believe me hosting a public DNS server will create you problems.  Keep the bind software up to date and config as per best practice to prevent any unwanted dramas.

 

How many network ports do you think you will need looking forward, you mention you only have 1 on an SFP+ in that case I would be looking at a smart switch with 2-4 SFP ports and the rest on 10GBe.  Assuming you want new and are trying to do this a little cheaper and don't need many ports I would probably go with a NetGear XS708T.

[JCBiggs]

 

 

right now I need  17 ports plus one fiber channel.  thats one for every room  in the house, plus the count for the link aggregation for the servers, plus the few extra devices that are in the same vicinity as the switch (smart tv's, media boxes, av.. etc.. they are all in the same local)  the only thing is the future security system will have more than 7 cameras, but I think i might just wait and get a separate switch for that with POE. 

 

I was thinking about this d-link...

 

 

,,,welll... i was looking at a dlink.. i cant find the dang link now.. ill post it later.

[Falconevo]

5 minutes ago, JCBiggs said:

 

 

right now I need  17 ports plus one fiber channel.  thats one for every room  in the house, plus the count for the link aggregation for the servers, plus the few extra devices that are in the same vicinity as the switch (smart tv's, media boxes, av.. etc.. they are all in the same local)  the only thing is the future security system will have more than 7 cameras, but I think i might just wait and get a separate switch for that with POE. 

 

I was thinking about this d-link...

 

 

,,,welll... i was looking at a dlink.. i cant find the dang link now.. ill post it later.

Not going to lie, things get really expensive when you are looking at more than 10 ports.  They do a 28 port version of the switch I referred to which is a Netgear XS728T.. that is 24x 10GBe all round with 4SFP+ ports.  Brand new you will be shelling out over £2000 for one.

I would likely go looking for a second hand Dell Force10 or HP Procurve Switch personally as they are likely to be a significant reduction in cost.  

If you can live with 1GBe for 90% of ports then utilise a module for the other 10Gbe ports?  This would bring the costs down to a more manageable sub £500

[leadeater]

Have a look at the Ubnt ES-16-XG, it's the most basic 10Gb switch you'll find with that many ports at such a low new cost.

https://www.ubnt.com/edgemax/edgeswitch-16-xg/

 

If you want anything better buy used, used may even be better,

[JCBiggs]

wow.. that thing is nice on the cost! that looks like a winner. 

[Falconevo]

11 minutes ago, leadeater said:

Have a look at the Ubnt ES-16-XG, it's the most basic 10Gb switch you'll find with that many ports at such a low new cost.

https://www.ubnt.com/edgemax/edgeswitch-16-xg/

 

If you want anything better buy used, used may even be better,

Ubiquiti make some excellent hardware and have quality software features to go with it so defo worth a look

I haven't used any of their switches so can't really advise on how well they work but I have used their EdgeRouter, AirMax and AirFiber equipment and it is absolutely rock solid.

[leadeater]

3 minutes ago, JCBiggs said:

wow.. that thing is nice on the cost! that looks like a winner. 

Check out the reviews of it first before buying, there were some not so nice points to it.

[JCBiggs]

yeah i read them... i figure i might have to get specific hardware to work with it.. but cant beat that price.  hell i was looking at a cisco that was 3k. lol.  

[leadeater]

Just now, JCBiggs said:

yeah i read them... i figure i might have to get specific hardware to work with it.. but cant beat that price.  hell i was looking at a cisco that was 3k. lol.  

Cisco SG500XG-8F8T by any chance? Or the compact 3560? I've been wanting the SG500XG for a while since I have a SG300 and need a 10Gb upgrade option but much better offering have started coming up since that product was released, not to mention the new multigigabit standard is a real thing now.

[JCBiggs]

no the one i was looking at was a much older 48 port.. not really what i needed.,   all three of the switches you posted look like pretty good deals. 

[leadeater]

6 minutes ago, JCBiggs said:

no the one i was looking at was a much older 48 port.. not really what i needed.,   all three of the switches you posted look like pretty good deals. 

Seems there are also Cisco SG350X and SG550X 10Gb options now, but all these Cisco options are not exactly cheap.

[JCBiggs]

yeah im not trying to go cheap... but im not trying to pay a few thousand dollars either. this is mainly for testing/learning.  

[leadeater]

1 minute ago, JCBiggs said:

yeah im not trying to go cheap... but im not trying to pay a few thousand dollars either. this is mainly for testing/learning.  

Allied Telesis AT-XS916MXT might be worth looking at, I've deployed a lot of their x900, x510 and x610 products and really like them. Will likely be hard to source and you'll have to go through a proper retail partner. It's still by no means cheap but cheaper than most Cisco options.

 

http://www.alliedtelesis.com/products/xs900mx-series

 

I'm rather biased against D-Link especially, hate their products nothing but hassles but that was very long time ago. I also don't hold Netgear in high regard either, just get the impression they are low quality cheap and I've had bad experiences with their 2U 12 bay rackmount NAS's with horrific firmware (had to get them to make custom firmware for me).

[JCBiggs]

i setup some netgear 8 port switches a while back and every one of them failed in under 2 years. Ill never buy anything with netgear plastered on it.  thanks for the options. Ill take a good look at these things.

[JCBiggs]

On 12/20/2016 at 8:53 AM, leadeater said:

Have a look at the Ubnt ES-16-XG, it's the most basic 10Gb switch you'll find with that many ports at such a low new cost.

https://www.ubnt.com/edgemax/edgeswitch-16-xg/

 

If you want anything better buy used, used may even be better,

Do you have any idea where i can buy 1g copper transceivers? I found some new 10g ones from prolabs but they are expensive and unnecessary. 

[leadeater]

1 minute ago, JCBiggs said:

Do you have any idea where i can buy 1g copper transceivers? I found some new 10g ones from prolabs but they are expensive and unnecessary. 

ebay?

[JCBiggs]

All i can find is SFP.. not sfp+   

[leadeater]

3 minutes ago, JCBiggs said:

All i can find is SFP.. not sfp+   

You can use SFP in SFP+ ports, I don't even think there are SFP+ 1Gbps modules now that I think about it.

[JCBiggs]

i have found quite a few sfp  1 gig transceivers.  i didnt know sfp and sfp+ were compatible.